Pfsense selects wrong gateway on WAN fail with Default Gateway Switching enabled

nzkiwi68

I am having LOTS of trouble on a site:

Interfaces
WAN1 - fibre to ISP with a /27 subnet (I'll call this 202.202.202.2 /27), WAN1GW 202.202.202.1 and this is pfsense's default gateway
WAN2 - vDSL to ISP with a /27 subnet (I'll call this 203.203.203.2 /27), WAN2GW 203.203.203.1
LAN - to layer 3 switch with a /24 subnet (I'll call this 192.168.0.1 /24), no gateway set on the LAN interface (of course!)
DMZ - various, with a /24 subnet (I'll call this 192.168.50.1 /24), no gateway set on this DMZ interface (of course!)

LAN has a layer 3 switch, with a number of RFC1918 subnets routed.

Thus, pfsense has a gateway defined called L3SWITCH (192.168.0.254) and a number of static routes to it, such as:
192.168.8.0/24 static route to L3SWITCH
192.168.7.0/24 static route to L3SWITCH
192.168.10.0/24 static route to L3SWITCH
192.168.22.0/24 static route to L3SWITCH

on the the DMZ, there is also another firewall/VPN box, IP 192.168.50.100 which hosts a VPN to 172.16.22.0/24 (don't ask why…)

So, pfsense has a gateway defined called DMZVPN (192.168.50.100) and a static routes to it, such as:
172.16.22.0/24 static route to DMZVPN

pfsense gateways that it knows about:

• DMZVPN - on the DMZ interface

• L3SWITCH - on the LAN interface

• WAN1GW - on the WAN1 interface

• WAN2GW - on the WAN2 interface

Only the WAN1 and WAN2 interface inside pfsense have a gateway set under their interface settings!

The problem

If you enable Default Gateway Switching (under "System > Advanced > Miscellaneous") - pfsense unbelievably selects L3SWITCH and sends all the internet traffic there!

Yes, I understand policy based routing, but, my problem is that pfsense ITSELF on WAN1 failure is just not getting out to the internet and it becomes slows, then times out, and dynamic DNS doesn't update, etc, all because, on default gateway switching, pfsense is selecting a gateway that is defined on pfsense, but, not a gateway on an interface that is defined as having a default gateway (such as WAN1 or WAN2)

There appears to be NO method for controlling which / what gateway pfsense changes to on default gateway failure.

The Answer

Allow us under the gateways section to order / set the gateways in a top down preference order so we can control on default gateway failure WHICH gateway gets used next as the new pfsense default gateway.

or

Allow us under the gateways section to set a metric against each gateway (which will achieve the same thing as the above)

and/or

By default, pfsense should always first select a gateway that is on an interface that actually has a default gateway defined on the interface settings (such as WAN1 and WAN2) and never try to use gateways that are on interfaces that don't have a default gateway set (such as LAN or DMZ).

heper

Yes, I understand policy based routing, but, my problem is that pfsense ITSELF on WAN1 failure is just not getting out to the internet and it becomes slows, then times out, and dynamic DNS doesn't update, etc, all because, on default gateway switching, pfsense is selecting a gateway that is defined on pfsense, but, not a gateway on an interface that is defined as having a default gateway

most of the slowness of the GUI upon def. GW failure has been fixed over the last couple of years. (or thats my experience atleast).
If you still have issue's without gateway-switching, then it might be good to figure out why.

I used to run with gateway-switching enabled, but it generates more problems then it solves.

jazzl0ver

Faced the same issue. Can't avoid using gateway switching since pfsense itself will not be able to reach Internet in this case. Any suggestions?